Information Security Risk Management for ISO27001/ISO27002

CHAPTER 6: INFORMATION SECURITY POLICY AND SCOPING³⁶

While risk assessment is the core competence of information security, it is the information security policy and the agreed scope of the ISMS that provide the organisational context within which that risk assessment takes place. The first step in the planning phase for the establishment of an ISMS is the definition of the information security policy. A risk assessment can only be carried out once an information security policy exists to provide context and direction for the risk assessment activity.

Information security policy

This requirement is set out in clause 4.2.1 of ISO27001³⁷ (and control A.5.1, in Annex A to ISO27001). It is not always, however, as straightforward as it seems. It may ...

Get Information Security Risk Management for ISO27001/ISO27002 now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.

Start your free trial

Information Security Risk Management for ISO27001/ISO27002 by Alan Calder, Steve Watkins

CHAPTER 6: INFORMATION SECURITY POLICY AND SCOPING³⁶

Information security policy

Don’t leave empty-handed

It’s yours, free.

Check it out now on O’Reilly

CHAPTER 6: INFORMATION SECURITY POLICY AND SCOPING36

Information security policy

Don’t leave empty-handed

It’s yours, free.

Check it out now on O’Reilly

CHAPTER 6: INFORMATION SECURITY POLICY AND SCOPING³⁶